re, anti btrom

From: Martin Markovitz (stealthat_private)
Date: Wed Sep 08 1999 - 10:47:13 PDT

Next message: David Taylor: "Re: VLAN Security"

Previous message: Bill Royds: "Re: I found this today and iam reporting it to you first!!! (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hi,
Sorry for somewhat late reply...

>Why it is not convenient to use the sys_call_table?
>Using the sys_call_table to hook a system call is the 'right way', but it is
>not for a stealth module, because programs like "btrom" can detect that, and
>having the 'System.map' (file that every paranoic administrator must have),
The problems are:
1.) If you assume you have a breakin, you can't depend on System.map
    or something else. Attackers may even install a new kernel, not only modules.
2.) New and unknown technics maybe exist that you don't know and scanners like
    btrom die on that. Thus you may think that all is OK, but it isn't. :(
3.) => Securelevels such as BSD's make the kernel more trustworthy even if you
    think that someone broke in.

What i have seen in the most hacker/backdoor modules is that they do somethink like

    mp->name="";
    mp->size=0;

but not really remove the module from the list.
So you could write somethink like radar.c (once written to bypass EoE) which could
maybe help you:


/*** Used to detect stealth modules. ;-)
 ***/
#define __KERNEL__
#define MODULE
#include <linux/module.h>

int init_module()
{
   	int i = 0;
        struct module *m = &__this_module;

        while (m) {
           	printk("Found %s\n", m->name);
#ifdef KILL_EOE
		if (strstr(m->name, "eoe")) {
			for (i = 0; i < GET_USE_COUNT(m); i++)	
				__MOD_DEC_USE_COUNT(m);
		}
#endif
		m = m->next;
        }
        return 0;
}

int cleanup_module()
{
   	return 0;
}


OK, you maybe see output like 'Found: ' which shows you 'Aha! there is something
that hides itself', because name="". Be happy as long as you can see the
not-so-stealth modules.
So. But this is only a special solution, as _all_ scanners would be a special solution
which would all die on technics like

	o not hooking syscalls, but stealing ...->files->fd[i]->f_op or
          replacing it.
	o unregistering/registering drivers on the fly ;-)
	o deleting modules from the list, either as described in
          stealth.c or with other teks
	o etc.

Oh ... when does securelevels appear in Linux ... :-)

Stealth


: ---- main(){fork();main();} ----
: Hi! I'm a .signature virus! Copy me into your ~/.signature, please!
: Stealth <-> http://www.kalug.lug.net/stealth

Next message: David Taylor: "Re: VLAN Security"
Previous message: Bill Royds: "Re: I found this today and iam reporting it to you first!!! (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:02:29 PDT